From Active Directory.... control, secure and provide software deployments...
Microsoft Group Policy Site
Debugging Group Policy and AD Replication
So....today I start researching a problem that appears as a slow network. Is it DNS is it AD where do I start? Since one of my colleagues complained a GPO did not work I thought start there...
Download GPOtool
I created a GPOtool folder on the C: drive and cd\ in to it so I did not have to adjust the PATH.
I ran the GPOtool and piped the output to a text file. Then I searched the file for the word ERROR.
Once the word was hit in the file I ran gpotool against each DC. One came up with only 33% of the policies it should have...Houstoun we have a problem!!!!
Some engineer me...go and just check the CMD or Powershell session is in a raised ADMINSTRATOR session? There is a good boy....
Please note that at the time of starting this, the ISP had started to mess about with our IPs and WWW access, the cheeky sods. So much so external traffic routing failed....brilliant!! I'll keep this shoddy update up just to maintain the links to WWW resources. If your external traffic hits your firewall go and just check your ISP has not changed anything??? Apparently they sent an email to the old IT Manager, got annoyed with not getting a reply and just performed maintenance without telling us....brilliant!!
Once the word was hit in the file I ran gpotool against each DC. One came up with only 33% of the policies it should have...Houstoun we have a problem!!!!
Some engineer me...go and just check the CMD or Powershell session is in a raised ADMINSTRATOR session? There is a good boy....
Please note that at the time of starting this, the ISP had started to mess about with our IPs and WWW access, the cheeky sods. So much so external traffic routing failed....brilliant!! I'll keep this shoddy update up just to maintain the links to WWW resources. If your external traffic hits your firewall go and just check your ISP has not changed anything??? Apparently they sent an email to the old IT Manager, got annoyed with not getting a reply and just performed maintenance without telling us....brilliant!!
gpotool this will query all the servers
gpotool /dc: DCservername will allow you to query individual DCs.
gpotool > filepathname lets you rediect cli shell output to a text file which you can ope and search for the word "error" read the section the search brings up should show you the faulty DC.
DCDIAG....
I've ran dcdiag with the following switches....
dcdiag /c /f:"filepathname"
/c is the complete test switch
/f lets you save output to a file I always use bracketing with " " to encase text so spaces and drive letters are interpreted correctly
Repadmin Not used this yet used replmon and dcdiag.
I'll post results and notes later.
Repadmin Link2
Because there are two types of replication involved in Group Policy....AD replicates the Group Policy Container=LDAP object defined by a GUID = GPC = LDAP Replication, these objects then point to physical files in Group Policy Templates =files that actually are the Group Policy= SYSVOL = AD replication folder stored on a Domain Controller= replicates by FRS and these files are named after the GUID that was created in LDAP by creating the GPO in the first place....so now we debug FRS....
FRS Debug Tools
3rd Party Vendor Sites
Specops recommended quite highly as they provide tools that will deploy apps while computer users are logged on and not during the boot process.
Forums & General Info
GPOguy
GPAnswers
How to find the RootDSE
Find RootDSE without AD Module
And now for the code I used.... from PoSh
$Root = [ADSI]"LDAP://RootDSE"
$Domain = $Root.Get("
$Domain
Why would I need this? To connect directly to AD with the LPD util to view LDAP
Technet LDP overview
How to find all your DCs in AD
Been trying to debug AD in a domain where I suspect DCs have been moved out of default OUs or just decided to rebuild a DC. Any doubts about your DC run this...from PoSh
$domain = [directoryServices.ActiveDirectory.Domain]::GetComputerDomain()
$domain.FindAllDomainControllers()
Good link to refer to is Hey Scripting Guy find my DCs....
Microsoft AD Debug Process
AD Debug Process
NLTest
Domain Secure Channel Utility
NLTest is the tool to use to check secure channels to your domain
NLTest Documentation
Repadmin Not used this yet used replmon and dcdiag.
I'll post results and notes later.
Repadmin Link2
Because there are two types of replication involved in Group Policy....AD replicates the Group Policy Container=LDAP object defined by a GUID = GPC = LDAP Replication, these objects then point to physical files in Group Policy Templates =files that actually are the Group Policy= SYSVOL = AD replication folder stored on a Domain Controller= replicates by FRS and these files are named after the GUID that was created in LDAP by creating the GPO in the first place....so now we debug FRS....
FRS Debug Tools
3rd Party Vendor Sites
Specops recommended quite highly as they provide tools that will deploy apps while computer users are logged on and not during the boot process.
Forums & General Info
GPOguy
GPAnswers
How to find the RootDSE
Find RootDSE without AD Module
And now for the code I used.... from PoSh
$Root = [ADSI]"LDAP://RootDSE"
$Domain = $Root.Get("
$Domain
Why would I need this? To connect directly to AD with the LPD util to view LDAP
Technet LDP overview
How to find all your DCs in AD
Been trying to debug AD in a domain where I suspect DCs have been moved out of default OUs or just decided to rebuild a DC. Any doubts about your DC run this...from PoSh
$domain = [directoryServices.ActiveDirectory.Domain]::GetComputerDomain()
$domain.FindAllDomainControllers()
Good link to refer to is Hey Scripting Guy find my DCs....
Microsoft AD Debug Process
AD Debug Process
NLTest
Domain Secure Channel Utility
NLTest is the tool to use to check secure channels to your domain
NLTest Documentation
No comments:
Post a Comment